Two months ago, the introduction of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) significantly changed our data protection landscape (see our related blogs). Reference to “GDPR” became a daily occurrence in shops and offices, and received daily attention on social media and in the press.
What received little attention, however, were changes introduced about how police and criminal justice agencies process personal data - provisions that were introduced by the Law Enforcement Directive (“LED”) or, as it is formally known, “Directive 2016/6801 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA”.
This is the first in a series of blogs looking at the this overlooked element of the Data Protection Act 2018 relating to law enforcement and criminal justice.
Overview – who does it apply to?
The LED dovetails with the GDPR, which does not deal with data processing for law enforcement purposes. As it is not directly effective legislation, the LED was implemented within Part 3 of the DPA 2018. Parts 5 to 7 of the DPA, which relate to the Information Commissioner’s Office (“ICO”), enforcement of the DPA and supplementary provisions, apply to all elements of the DPA, including Part 3. Schedule 7 of the Act sets out a long list of agencies (including, for example, the FCA and HMRC) to which the provisions apply.
Whilst the LED only applies in relation to cross-border processing of personal data for law enforcement, Part 3 of the DPA also applies to the domestic processing of personal data for such purposes, the aim being to “ensure a coherent regime” across the whole of the law enforcement sector both trans-national and domestic.
The Home Office Fact Sheet provides a helpful summary of the key provisions.
Chapter 1 deals with scope and definitions and then Chapter 2 sets out the six data protection principles that must be complied with. These are similar though not identical to those under the GDPR. For example, there is no requirement under the first principle that processing must be “transparent” given the possibility of prejudice to on-going investigations.
The requirements are that:
- processing be lawful and fair;
- the purposes of processing be specified, explicit and legitimate;
- personal data be adequate, relevant and not excessive;
- personal data be accurate and kept up to date;
- personal data be kept no longer than is necessary; and
- personal data be processed in a secure manner.
Chapter 3 sets out the rights of the “data subject” and provides individuals with a series of rights they can exercise. These include:
- rights of access by the data subject to information about the data processing (including the legal basis for processing, the type of data held, to whom the data has been disclosed, the period for which it will be held and the right to make a complaint);
- the right to rectification of inaccurate data and of erasure of data (or the restriction of its processing) where the processing of the data would infringe the data protection principles; and
- rights in relation to automated decision-making (that is, decision making that has not involved human intervention).
However, restrictions are placed on those rights, where necessary and proportionate, in order to:
- avoid obstructing an investigation or enquiry;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; and,
- protect the rights and freedoms of others.
Chapter 4 imposes a range of obligations upon controllers and processors, including the requirement to appoint a data protection officer, and deals with reporting of data breaches.
Chapter 5 establishes how and when personal data can be transferred to a third country or an international organisation.
Chapter 6 provides supplementary provisions such as those relating to national security certificates and how infringements of Part 3 should be reported.
The new landscape
The blanket coverage given to the introduction of the GDPR means that the public in general is now more alive to the use of its data, certainly in terms of internet shopping and membership databases for example.
However, less light has been shed on how our personal data is processed by police and law enforcement. Ironically this is where the mishandling of data has the greatest potential for causing prejudice to the individual, and an activity which has long been a concern for practitioners.